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KVALUAT  ION 


Tlit  necessity  tor  more  complex  software  systems  in  such  areas  as 
command  and  control  and  avionics  has  led  to  the  desire  for  better 
methods  for  predicting  software  errors  to  insure  that  software 
produced  is  ot  higher  quality  and  of  lower  cost.  This  desire  has  been 
expressed  in  numerous  industry  and  Government  sponsored  conferences, 
as  well  as  in  documents  such  as  the  Joint  Commanders'  Software 
Reliability  forking  Group  Report  (Nov  1975).  As  a result,  numerous 
efforts  have  been  initiated  to  develop  and  validate  mathematical 
models  for  predicting  such  quantities  as  the  number  of  remaining 
errors  in  a software  package,  the  time  to  achieve  a desired 

availability  level,  and  a measure  of  the 
However,  early  efforts  have  not  produced 
accuracy  ot  prediction  and  with  the  necessary 
general  model  usage. 


software  availability, 
models  with  the  desired 
confidence  limits  for 


This  effort  was  initiated  in  response  to  this  need  for  developing 
better  and  more  accurate  software  error  prediction  models  and  fits 
into  the  goals  of  KADC  TPO  No.  5,  Software  Cost  Reduction  (formerly 
RADC  TI’O  No.  11,  Software  Sciences  Technology) , in  the  subthrust  of 
Software  Quality  (Software  ‘'odeling).  This  report  summarizes  the 
development  of  a mathematical  model  for  predicting  quantities,  such  as 
the  expected  number  of  remaining  errors,  achieved  availability,  and 
time  to  detect  and  correct  a specified  number  of  errors,  for 
operational  software  systens  that  assumes  a software  error  is  not 
corrected  at  a given  time  with  probability  1 (i.e.  imperfect 
debugging).  The  importance  of  this  development  is  that  it  represents 
the  first  attempt  to  develop  software  error  prediction  models  that 
incorporate  Imperfect  debugging,  and  thus  more  closely  reflect  the 
actual  software  error  detection  and  correction  process. 


The  theory  and  equations  developed  under  this  effort  will  lead  to  nuch 
needed  predictive  measures  for  use  by  software  maintenance  personnel 
in  providing  better  and  more  efficient  maintenance  rf  operational 
software.  In  addition,  the  associated  confidence  limits  and  other 
related  statistical  quantities  developed  under  this  effort  will  Insure 
more  widespread  use  of  these  modeling  techniques.  Finally,  the 
predictive  measures  and  equations  developed  under  this  effort  will  be 
applicable  to  current  Air  Force  software  development  projects  and  thus 
help  to  produce  the  high  quality,  low  cost  software  needed  for  today's 
systems . 
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1.  INTRODUCTION 


Considerable  emphasis  has  been  placed  in  recent  years  on 
empirical  studies  of  software  error  phenomena  with  the  objective 
of  improving  software  performance.  Such  studies  can  be  classified 
into  one  (or  both)  of  two  categories.  In  the  first  category  the 
emphasis  is  on  the  analysis  of  software  error  data  collected  from 
small  or  large  projects,  during  development  and/or  operational  phases 
Studies  in  the  second  category  are  primarily  aimed  at  the  develop- 
ment of  analytical  models  which  are  then  used  to  obtain  the 
reliability  and  other  quantitative  measures  of  software  performance. 

Typical  of  the  first  category  are  the  studies  by  Akiyama 
I 1] , Belady  and  Lehman  [3],  Fries  [61,  Endres  [51,  Baker  [21, 

Motley  et  al  [161,  Miyamoto  [141,  Willman  et  al  [ 31 1 , Schneidewind 
[221,  Shooman  et  al  [251,  Sukert  [26,271,  Rye  et  al  [20],  Thayer 
et  al  [281,  and  Wagoner  [30].  These  studies  range  in  size  from 
an  analysis  of  small  data  sets  (108  errors),  e.g.  Wagoner  [30], 
to  analysis  of  large  sets  (3500  errors),  e.g.  Thayer  et  al  [28] 
and  encompass  data  from  an  on-line  system  [141,  an  operating 
system  (31,  to  that  from  the  Apollo  project  [20J. 

In  the  second  category  of  papers,  several  models  have  been 
proposed  and  studied  during  the  last  six  years.  These  include 
'exponential  type'  models  of  Shooman  [24],  Jelinski  and  Moranda 
[10,11],  and  Schick  and  Wolverton  [21];  models  based  on  the  non- 
homogeneous  Poisson  process  proposed  by  Goel  and  Okumoto  [8]  and 
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Schneidewind  [23],  and  a Bayesian  model  by  Littlewood  and  Verrall 
1 1 3 } - Halstead  [9]  has  developed  a theory  based  on  'software  physics' 
for  various  measures  of  the  performance  of  a software  system. 

Musa  [17]  has  introduced  a model  which  is  based  on  a large  number 
of  parameters  derived  from  the  software  system  being  modelled. 

Trivedi  and  Shooman  [29]  consider  a Markov  model  in  which  they 
incorporate  the  time  spent  for  removal  of  errors. 

Most  of  the  above  studies  assume  that  an  error  is  removed 


with  certainty  when  detected.  Goel  and  Okumoto  [7]  have  developed 
a model  for  the  debugging  phase  which  takes  into  consideration  the 
uncertainty  of  error  removal.  Using  this  model  they  have  derived 
expressions  for  various  quantities  of  interest.  However,  they 
assume  that  the  time  for  error  removal  is  negligible. 

In  this  report  we  present  a model  for  the  operational  phare  of 
the  system  for  the  case  when  errors  are  not  removed  with  certainty 
and  also  take  into  consideration  the  time  spent  for  error  removal. 
Expressions  for  various  quantities  of  interest,  e.g.  distribution 
of  time  to  a specified  number  of  remaining  errors,  expected  number 
of  errors  detected  and  corrected  by  time  t , and  software  system 
availability,  are  derived  from  this  model.  The  basic  model  is 
developed  in  Section  2,  and  the  quantities  of  interest  are  derived 
•in  Section  3.  Approximations  for  large-scale  software  systems 
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2.  MODEL  DEVELOPMENT 


The  process  to  be  modelled  consists  of  a sequence  of  opera- 
tional and  maintenance  (up  and  down)  states  of  the  software  system. 

We  make  the  following  assumptions  about  the  process  and  the  software 
system. 

(1)  The  errors  in  the  software  system  are  independent  of  each 
other  and  have  a constant  occurrence  rate  \ . 

(ii)  The  probability  of  two  or  more  errors  occurring  simultaneously 
is  negligible. 

(111)  When  the  system  is  inoperative  due  to  the  occurrence  of  an 
error,  the  error  causing  the  failure,  when  detected,  is 
corrected  with  probability  p (0*p<l)  while  with  probability 
q tp+q = 1)  the  error  is  not  removed.  Thus  q is  the  prob- 
ability of  imperfect  maintenance. 

(iv)  The  time  to  remove  an  error  when  there  are  i remaining 

errors  in  the  system,  Y , follows  an  exponential  distribu- 
tion with  parameter  . 

(v)  No  new  errors  are  introduced  during  the  error  removal 
(correction)  phase. 

(vi)  At  most  one  error  is  removed  at  correction  time. 

Let  X ( t ) denote  the  state  of  the  system  at  time  t . Define 
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i ; The  software  system  is  operational  while 
there  are  1 errors  remaining  in  the 
software  system,  i « 0, 1,2, , . . ,N  . (2.1) 

D ; The  software  system  is  down  for  error 
removal  (ma intenance ) . 

We  will  use  this  random  variable  to  describe  the  state  of  the  system 
at  time  t . Further,  let  N be  the  number  of  errors  at  the  begin- 
ning of  the  operational  phase,  i.e.,  X ( 0 ) =N  . 

Suppose  the  system  is  operative  with  l remaining  errors  when 
a failure  occurs.  Further,  suppose  that  the  error  removal  activity 
(maintenance)  is  carried  on  up  to  time  t . Then,  from  assumption 
(iii)  we  have 

Ii — 1 with  probability  p 

(2.2) 

i with  probability  q . 

In  other  words,  if  we  were  to  observe  the  X ( t ) process  at 
the  end  of  each  maintenance  phase,  then  its  behavior  is  governed 
by  (2.2).  It  should  be  noted  that  in  making  these  transitions  X(t) 
always  goes  through  the  D state  as  defined  in  (2.1).  A diagrammatic 
representation  of  transitions  between  states  N,N-1, . . . , 1,  0 and  n 
is  given  in  Figure  2.1.  In  general,  the  transition  probabilities 

from  state  i to  state  j via  D,  i,j  = 0,l,2,...,N  are  given 

by 
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0 1 • i-.’  I-  1 I ...  N-  • N- 1 N 


0 1 0 0 


1 P H 0 


o P q 


v \ 

\ \ 

\ \ 


N-  l 0 0 


N O 0 


Now,  ion#  (il  nud  (u)  t »\\j>  I y that  t ho  time*  betwen 

»uot'0«»  lvr  »onw.ii><  r.n  hiu'H  (moi  oocuirrnoral  follow  an  #xjh'i\- 
antial  distribution.  Suppoat*  at  aonu»  t imr  t *■  t , x(tl  - i , 

i - 0,  l N . Than  tbr  pivbnbt  l ity  dans  it  y funot  ton  (pdf)  f^lt) 

of  t ha  t imr  to  nrxt  tatlura,  T , ts  iiivm  by  t hr  distribution  of 
tho  first  oidei  st.it  int  w ot  \ rxponrnt  ini  di«ti  tluit  ions  raoh 
with  paramatar  V , i.r., 


f | ( t ) « i \ • r 


t{(t)  - V** 


(J.4) 


and  the  cumulative  dint  ribut  ion  function  (odfl  in  uiven  by 


i 


l 

I 


! 


where  V v ■ li  . 

It  should  be  pointed  out  that  undt  r assumptions  ill  and  (ill,  *e 
take  the  parameter  to  be  equal  to  iv.  Howevet  , in  general  undet  dit  • 
ferent  assumptions  i could  be  some  othei  function  of  1 and  \ . 

From  assumption  (iv),  the  cdf  ot  maintenance  times  is  obtained 

as 

"l'it 

P(Yt  < t)  - i - e . (2.6) 

Let  7,^  denote  the  time  for  one  up-down  cycle  when  the  numbei 
of  remaining  errors  is  equal  to  i , r.e., 

7*i  “ Ti  4 Yi  * (• -7> 

Then 

?4(t)  - f{Zi’st)  - (l-e  V‘  )*(l-e  U'  ) («?.tU 

where  * denotes  convolution. 

Now  we  note  that  even  though  the  stochast  ie  process  \ 1 1 I 
makes  transitions  from  state  to  state  in  accordance  with  equal  ion 
( <2 . 3 ) , the  times  spent  in  various  states  at  e random  and  me  given 
by  equation  (2.H).  Hence  (X(t)  , t*0)  forms  a semi-Maikov  process. 

A typical  realization  of  this  process  is  shown  in  Figure  2..'.  It 
should  be  pointed  out  that  in  our  formulation  the  process  X 1 1 ) 
undergoes  both  real  and  virtual  transitions.  This  means  th*d  aftet 
an  attempt  to  remove  an  error  the  state  of  X(t)  may  change  oi  may 
remain  unchanged.  In  Figure  i.2  real  transitions  oecm  at  states 
N , N-2  and  i while  a virtual  transition  occurs  at  state  N- 1 . 
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Lot  oj^'(t)  denote  the  one  step  transition  probability  that 
after  making  a transition  into  state  i,  the  process  X ( t ) next 
makes  a transition  into  state  j via  D , by  time  t . In  other  words 
if  a software  package  has  i remaining  errors  at  time  zero,  then 
o|^(t)  represents  the  probability  that  the  next  up-down  cycle, 
resulting  in  j remaining  errors,  will  be  completed  by  time  t . 
Hence,  for  i, j = 0, 1, 2,  . . . ,N  , we  can  write 

(t)  = ^ P(x(u)  = j , Z . = u I X ( 0 ) = i ] • du  . 

-1  dQ  1 


get 


or 


Since  the  events  [X(u)=j]  and  (Z^=u)  are  independent,  we 


Q(D)(t)  =C  P{X(u)=j IX(0)=i} -p(z .=ulX (0)=i) -du 

1 3 J o 1 

= C pfD* -P{Z .=u IX (0)=ij -du 

J0  13  1 

= pj^  C dP  (Z  ■ <,u) 


0ij} (t)  " Pij}  ?i(t) 


for  i, j ■ 0, 1, 2, . . . ,N  . 


,(D) 


It  is  obvious  that  o| j (t)  must  satisfy 
°i^)(t)*0,  i,  j = 0, 1, 2,  . . . ,N  , 


t * 0 


(2.9) 


and 


N 

yt  Qij  } (")  ■ P*q  - 1 . i = 0,l,...,N. 
j-0 


9 


■—  I - _ 


1>|  -^,M  ” P»  ,1 


Now,  the  one-step  transition  probabilities  from  : Late  i to 
i and  to  (i-1)  via  D are  obtained  from  (2.9)  and  (2.3)  as 


Qi?i(t)  = q ' ?i(t) 
°iDi-l(t)  = P*  ?i(t) 


(2.10) 

(2.11) 


for  i-l,2,...,N 


and 


<Jo?o(t>  ■ 1 • 


(2.12) 


Proceeding  similarly  for  all  i,  j , we  get 


0 

1 

2 

N-l 

N 


_ 0 
1 


l 

I 

0 

0 


1 

0 


P5L(t)  q^t) 


2 N-2 

0 

0 


PS2(t)  q?2 (t) 

l ^ "« 


0 

0 


N-l 

0 

0 

I 

I 


pVi(t>  qV)(t) 


P!N(U 


N 

0 

0 


0 

q?N(t) 


(2.13) 


For  known  parameters  N,  p,  Xi  and  u.^,  the  probabilities 
(t)  can  be  calculated  from  equation  (2.13).  This  equation  is 
the  basic  model  for  the  process  under  study. 
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3.  DERIVATION  OF  VARIOUS  QUANTITIES  OF  INTEREST 


3.1  Distribution  of  Time  to  a Specified  Number  of  Remaining  Errors 


Suppose  at  some  time  during  the  operational  phase  the  number 


of  remaining  errors  in  the  software  system  is  i . Let  g (t) 

i > n- 


and  G.  (t)  be  the  pdf  and  cdf,  respectively,  of  the  first  passage 

i.n0 


time  from  i to  n^  . These  quantities  are  the  pdf  and  cdf  of  the 


time  required  to  obtain  a software  system  with  nQ  errors  when  the 


initial  number  of  errors  is  i 


Since  the  number  of  errors  at  time  zero  is  N , we  are  inter- 


ested in  getting  an  expression  for  G . (t)  . First  consider  the 

N , nQ 

n . m 1%  ' — • C n At.  . m . i H.An.nnn  1 . ' AAm  V*  n A A A f A ( ^ ^ \ \ • 


case  of  perfect  maintenance.  From  the  definition  of  Q;  ((t)  , the 

1 * J 

probability  of  going  from  N to  N-l  errors  via  D in  time  [u,u+du] 

is  do i (u)  . The  process  restarts  with  (N-l)  remaining  errors 
N | N~  I 

at  time  u and  the  cdf  of  first  passage  time  from  N-l  to  nQ  is 


then  Gm  i (t-u)  . Thus  the  cdf  of  first  passage  time  from  N 
N-i, n0 


to  n^  when  the  maintenance  is  perfect  is 


SQ  GN-l,nQ(t“U) ‘dQN.N-l(u)  °N.N-l*GN-l.n0(t) 


(3.1) 


Similarly,  if  the  maintenance  at  the  first  error  removal  is  imperfect, 


the  cdf  of  first  passage  time  from  N to  nn  is 


So  GN,n0(t_u)'d°N.N(u)  " °N,N*GN,n0(t)  * 


(3.2) 


Since  the  events  depicted  in  (3.1)  and  (3.2)  are  mutually 


exclusive,  we  get  the  cdf  of  first  passage  time  from  N to  nn  as 


..  i 


L 
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(3.3) 


aH.n  <*>  - nM  ' 


In  general,  the  renewal  equation  is 


Gi,n0<t>  " Qi,i-l*Gi.l,n0(t)  + Qi,i*Gi,n0(t) 


(3.4) 


for  i *=  n_+l,n->2, . . . ,N  where  G„  *1. 
o u nQ»no 

Using  Laplace-Stielt^es  (L-S)  transforms  to  solve  the  renewal 
equation  (3.4),  we  get 

3i.n0(s)  " 3i^i-l  Hq + ^3i, n0 ‘"V^V2 8 

(3.5) 


where 


OB 

Gj  (s)  = C e‘St-dGi  (s) 
1*nr>  Jfi  1,nn 


«?!<■> 


qxi»i 

(s+\i)  (s+l*i)  * 


(3.6) 


PVi 


*i,i-l(s)  “ (s+\i)  (s+n.)  • 


Solving  the  set  of  equations  (3.5)  recursively,  we  get 

* , . ■ f ^Vi  \ 

N,n0  i-n0+l(s2  + 

. * 

i-nft+l\S+rl,k/\S+r2,k  / 


(3.7) 


(3.8) 


. Jk 


where  r.  . end  r,  . satisfy 
1 # 1 *1  * 


rl,i  + r2,  i " Xi+ 


rl, ir2, i ’ pVi  * 


(3.9) 


Now  from  Corollary  A. 2 of  Appendix  A we  get 


SM  n (■)  - Hi  _ (s)H^  (s) 

N#  nn  N t nn  N»n^ 


" “n.  vno(s) 


(3.10) 


where  we  set  ^ “ ri  i and  c2  i "*  r2  i*  Finally,  we  obtain  the 
first  passage  time  distribution  from  N to  n^  as 


w « 

SN,nQ(t)  " X X , i , nQ+ 1 , i , nQ+ 1 


i-n0+l 


-r-  . t , 


(3.11) 


1 2 

where  <7M  4 ^ . i and  ^ y are  as  given  in  Appendix  A. 

N # i # **0^  ^ N $ i $ n^i*  i 

From  (3.11),  the  pdf  of  the  first  passage  time  is  obtained 


• * 


GN,nQ(t)  " XI  XI  ^N,  i,nQ+l  C*N.  j.nQ+l 


i-n0+l  i«n0+l 


X rgl,i->j  (/g2»jt-/gl»it)- 
rl,i  r2,j 


(3.12) 
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1 ' 1 


3.1.1  Mean  and  variance  of  the  first  passage  time 

The  mean  and  variance  of  the  first  passage  time  , TM  , from 

N,nQ 

N to  n^  are  obtained  as  follows 


ET 


N N 

N,n.  ^N.  i,nft+l  ^N,  j,nn+] 

° i=n0+1  ^no+1 

x (72t7":Fiti)/(ri*i“r2'i) 


N N 

ET2  = V*  V a1  n2 

N,nn  / ^ / i N,  i,nn+l  aN,  j,nn+l 


i=nQ+l  j=n0+ 1 


x(fL±..i2J_)/{r 

' r-,  .2  r,  . 2 ' 1,1  ^'3 


’2,  j 1,  i 


Var(TM  _ ) = ET2  - ( ET..  „ )2 
N > nQ  N , n^  N, n^ 


(3.13) 


(3.14) 


(3.15) 


3.1.2  Numerical  example 

For  illustration  purposes  consider  the  case  when  x^  * ix  , 
u i(i  , N = 10,  p = 0 . 9,  X = 0. 02  and  (*  = 0.05. 

The  pdf  and  cdf  for  the  first  passage  time  for  this  example 
are  plotted  in  Figures  3.1  and  3.2,  respectively.  These  plots  are 
self  explanatory. 

The  mean  and  variance  of  the  first  passage  times  from  N * 10 
to  nQ=0,l,...,9  are  computed  from  equations  (3.13)  and  (3.15)  and 
are  given  in  Table  3.1. 
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Figure  3.2  CDF  of  First  Passage  Time  from  N to  n 
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PPr~~  '^1  “-I  °r***t~**r~ 


■I 


3.2  State  Occupancy  Probabilities  and  Software  System  Availability 

In  this  section  we  are  interested  in  obtaining  expressions 
for  the  number  of  errors  remaining  in  the  software  system  and  the 
system  availability.  Let 


PN,nQ(t)  = *(*(*>  * nQ  IX  (0)  -NJ  , (3.16) 


that  is,  P (t)  represents  the  probability  that  the  software 
n,  nQ 

system  is  operational  at  time  t with  nQ  remaining  errors,  given 

that  it  was  operation  at  time  t = 0 with  N remaining  errors. 

First  we  derive  the  expression  for  system  availability  in  terms 

of  P (t)  . By  conditioning  on  the  first  up-down  cycle  of  the 

no 

process  and  using  an  approach  similar  to  that  of  Section  3.1  we 
get  the  following  renewal  equation: 


, n 


0 


(t) 


+ Q 


(D) 

n0'n0 


nQ5N  (3.17) 


Conditioning  on  the  first  passage  time,  we  get 


PM  n (t)  = n *Gh  n (t)  . 

N,n0  n0'n0  N,n0 


(3.18) 


Taking  the  L-S  transform  of  P (t)  in  (3.17)  and  of  P„  (t) 

N , 


n0'n0 


in  (3.18),  we  gee 


s 


Pn0,n0(S)  " s+  \ 


■+Q(D)  (s).P 

Vn0  V“0 


(s) 


(3.19) 


and 


„ (■)  - „ (S>-G„  „ («)  • 


0'  0 


N,n, 


(3.20) 


18 


we  get 


Substituting  the  I/-S  of  (t)  from  (3.7)  and  rearranging, 

n0'n0 


n0'n0 


(s) 


S(a+U  ) 
"o 


+ <*„  + >S  + 

no  no  0 n0 


1 - 


X -r,  r, 

nQ  2,n0  1,nQ 


1,n0  X°0 


2,n, 


r.  „ -ro  „ s+r.  _ r , -r  s+r^ 
i ■ $ Hq  i 0 X f 2 1 iIq  2 f n^. 


(3.21) 


Substituting  (3.21)  into  (3.20)  we  obtain  the  L-S  transform  of  state 
occupancy  probability,  i.e. 


',n„  r2,n.  . 

VnQ<S>  ■5N,n0<a)-^-  Q-^-°  # 


ri  n "r9  n *’N  , Hn“  1 

X 0 nn  2 f nn 


(S)  hJ  n (s) 

N.n0 


r,  _ -X_ 

^,n0  nO  ~1  ~2 

IS!,n0«s"*„.„0-l<s 


r , -r^ 

l,n0  2,nQ 


(3.22) 


where 


~1 


* V-l"'  ' ° 


(3.23) 


and 


5N,N(S)  * BN,N(S)  = r^,N(S)  ' 1 


(3.24) 


Note  that  we  use  equation  (3.10)  to  obtain  (3.22).  Therefore,  from 
Corollary  A. 2 we  have 


N.n, 


(t) 


X -r„ 
n0  2 • n0 


; ( t \ Si Si_  H 

N,n0  rl,n0_r2,n0  V1,n0 


(t) 


r , _ 

l,n0  nQ 
21 

r i ** r . N , i n.  . 

l,nn  2 , nn  0 0-1 


(t) 


r»g  = 0,  1, 2,  . . . ,N  (3.25) 


which  can  be  computed  from  the  first  passage  tine  distr ibution 


Let  A ( t)  be  the  software  system  availability  at  time  t , 
that  is,  the  probability  that  the  software  system  is  operational 
at  time  t . Then,  from  the  definition  of  P„  _ (t)  we  get  the 

N # H- 


expression  for  A(t)  , i.e. 


N 


A<t>  - Hp».n 0(t' • 

n0-° 


(3.26) 


Figure  3.3  shows  the  software  system  availability,  A(t)  and  the 

state  occupancy  probabilities,  P (t)  , for  the  case  when  N^IO, 

N,n0 

p ■ 0. 9,  i » 0. 02  and  ^ = 0.05.  It  shows  how  the  availability  improves 
with  time. 

Now,  let  N(t)  be  the  number  of  errors  remaining  in  the  soft- 
ware at  time  t.  Then,  the  distribution  of  N(t)  is  given  by 


P(N(t)»n)  " GN,n(t)  _GN,n-l(t)  n - 0,1,2, 
with  mean 


(3.27) 


N 


EN(t)  - L ( 1 - Gm  n_,(t)]  . 
n-1  N,n-1 


(3.28) 


PROBABILITY 


TIME 


Figure  3.3  Software  System  Availability  and  State 
Occupancy  Probabilities  at  Time  t . 
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3.3  Number  of  Software  Errors  Detected  by  Time  t 

Let  us  introduce  a counting  process  ( ( t ) , t iO)  , where 
NQ(t)  uenotea  the  number  of  software  errors  detected  by  time  t . 

We  are  interested  in  deriving  the  expression  for  a renewal  function 
of  this  counting  process.  Let 

MjJ(t)  - E[ND(t)  IX(O)  -N]  (3.29) 


which  represents  the  expected  number  of  software  errors  detected 
by  time  t when  there  are  N errors  at  the  beginning  of  system 
operation.  By  conditioning  on  the  first  up-down  cycle  of  the 
process  we  get  the  following  renewal  equations; 


«£u>  . 


(3.30) 


Mj(t)  - 1 - e 1 + * M^(t) 


By  using  L-S  transform  of  (3.30)  we  have 


^(s)  = iTx^  + ^j?j-i(s)”j-i(s)  + ®j?j  (s)Hj(s)  l"1*2 N <: 


where  (s ) - 0 . 


Solving  (3.31)  recursively  and  applying  the  result  from  equation 
(3.8) , we  get 


.31 
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Then  we  have  a renewal  function  of  this  counting  process  i.e. 


*•!!<*> ' ii ?r,X,i 


(3.  33 


where  the  expressions  for  ^(t)  and  ^ ( t ) are  given 

in  Corollary  A. 2. 


3.4  Number  of  Software  Errors  Corrected  by  Time  t 

We  now  introduce  another  counting  process  {Nc(t)  . t a OJ  , 
where  Nc(t)  denotes  the  number  of  software  errors  corrected  by 
time  t . Also,  let 

ll£(t)  - E(N  (t)  IX(O)  -N]  (3.34 

which  represents  the  expected  number  of  software  errors  corrected 
by  time  t when  there  are  N errors  at  the  beginning  of  system 
operation.  If  we  condition  on  the  first  up-down  cycle  of  the 
process,  we  can  get  the  following  renewal  equations* 
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Mj  (t)  = (1-e  j )*(l-e  + 0^  * M^(t)  (3.35) 


j - 1.2, ...,N  , 


where  MQ(t)  =0  . 


Solving  (3.35)  recursively  and  applying  the  result  from  equation 
(3.8)  we  get 


~C  1 N N 

m£(s)  = i e n ~2 

* i*l  j*i  s + (Kj+Uj)a + PXjUj 


p ^ 5N.i-l'S»  ' 


(3.36) 


Finally,  we  get  the  expression  for  M^(t)  in  terms  of  first  passage 


time  distribution  i.e. 


M^lt)  ‘ p iii  • 


(3.37) 


Comparing  equations  (3.33)  and  (3.37),  the  expression  for 
M^(t)  differs  only  slightly  from  the  one  for  M^(t)  because  of  the 
time  to  maintain  a software  failure  involved  in  this  model  How- 
ever, as  t -*  « we  have 


"So  =*?• 


(3.38) 


For  illustration  purposes  consider  the  case  when  N = 10, 
p = 0.9,  x=0.02  and  ^ = 0.05.  The  results  for  M^(t)  and  M^(t) 
are  plotted  in  Figure  3.4.  It  is  easy  to  see  that  the  difference 
between  the  two  curves  gets  small  as  t gets  large.  However,  if  ^ 
gets  large,  i.e.,  the  maintenance  time  goes  up,  the  two  curves  will 
get  further  apart. 
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TIME 


Figure  3.4  Expected  Number  of  Software  Errors 
Detected  and  Corrected  by  Time  t 
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4.  GAMMA  APPROXIMATION  FOR  A LARGE-SCALE  SOFTWARE  SYSTEM 

In  section  3 we  obtained  several  quantities  of  interest  in 

terms  of  first  passage  time  distribution,  G (t)  . However,  the 

N,  n0 

computation  of  G (t)  for  a large-scale  software  system  is 
N,n0 

difficult  and  almost  impossible  for  very  large  N . From  a practical 
point  of  view,  we  would  like  to  get  an  approximate  solution  of  these 
equations  for  large  N . 

By  studying  the  pdf's  of  Figure  3.1,  we  note  that  the  distri- 
butions of  first  passage  time  can  be  approximated  by  a Gamma  distri- 
bution. To  use  the  moment  estimation  method  for  the  parameters  of  a 
Gamma  distribution  we  must  develop  another  way  to  find  the  moments 

of  first  passage  time  without  using  G (t)  . 

N,n0 

Let  T be  a random  variable  representing  the  first  passage 

n,  nQ 

time  from  N to  nQ  . Recall  from  equation  (3.9)  we  have 


GN,n0(t)  = VnQ  * Vn0(t) 


'4.1) 


Then,  the  random  variable  T„  corresponding  to  t ) can 

N , n^  i 

be  expressed  by 


i » T^  + T^ 

N , nQ  N , nQ  N , nQ 


(4.2) 


where  T, 


N,nr 


and  T, 


N,nr 


are  the  random  variables  with  distributions 


1 2 

fLj  (t)  and  H (t)  , respectively.  Also  note  that  from  the 

N , nQ  n , nQ 

1 2 

definitions  of  H.,  (t)  and  H.,  „ (t)  they  are  in  the  same  form 

N,n0  "*  n0 

of  first  passage  distribution  discussed  in  Goel  and  Okumoto  ( 7 ] . 
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By  using  the  results  obtained  in  [7],  we  get 


rH.n„  " E 1/rl.i 


i'V1 


E 


l.n0+i 


V“|TN.n0>  ' E 1/rl.i 


iano+1 


Var(T„  „ ) 


IN 

E 1/C2.i; 


(4.3) 


(4.4) 


(4.5) 


(4.6) 


i=no+1 


Then,  from  (4.2)  we  get  the  mean  and  variance  of  T„  ,i.e. 

N , n0  ' 


H (l/r1<i+l/r2f.) 


i=n0+1 


var(TM.n>  - E <l/rl.i^+  ’ 


(4.7) 


(4.8) 


i=n0+l 


Suppose  that  the  Gamma  distribution  to  be  used  as  an  approxima- 
tion for  G„  (t)  has  shape  parameter  a and  scale  parameter  0 , 

N,n0  2 
so  the  mean  and  variance  are  given  by  o/P  and  0/p  , respectively. 

Using  the  method  of  moments  for  estimating  the  parameters  a and  g 

we  have 


W 

£ (l/rl,i+l/r2,i>  * «/* 


(4.9) 


i“n0+1 


Therefore,  we  have 


N 


22  'i/ri.i*  i/r2.i] 


Lmno+1 


N 


(4.11) 


y*!  U/r2,i  + 1/r2,i 


i=n0+! 


N 


n v - 

i 22  ' 

* i*=n-+ 1 ' 


N 


(4.12) 


(l/r2/i2+l/r2/i2) 


i=n0+1 

Numerical  examples  of  this  approximation  for  various  nQ  are 
given  in  Table  4.1,  where  N=100,  p-0.9,  X = 0.02  and  ^ = 0.05.  We 
also  compute  the  relative  losses  for  3rd,  and  4th  moments  around  the 
mean,  to  see  how  good  the  approximations  are.  Figure  4.1  shows  the 
relative  losses  for  3rd  and  4th  moments  around  the  mean  with  N,  where 
p-0.9,  \ *0.02,  n = 0.05  and  nQ*0.2N. 

Based  on  these  results  we  find  that  the.  Gamma  approximation  of 
first  passage  time  distribution  for  a large-scale  software  system 
is  reasonably  good. 

Plots  of  first  passage  time  using  Gamma  approximations  are 
shown  in  Figure  4.2  for  N— 100,  p— 0.9,  x—0.02  and  y—0.05. 

The  state  occupancy  probabilities  and  software  system  avail- 
ability based  on  Gamma  approximation  for  N-100,  p-0.9,  X-0.02  and 
r<'J.05  are  given  in  Figure  4.3. 
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TABLE  4.1 

GAMMA  APPROXIMATIONS  FOR  FIRST  PASSAGE  TIME  DISTRIBUTIONS 
(N=100,  p=0.9,  X=0.02,  n=0.05) 


175 

.65 

145 

38 

123 

64 

106 

67 

92. 

74 

80 

94 

70. 

69 

61 

63 

53.52 

46,  18 
39.47 
27.58 
17.26 
8.15 


326.14 
208.75 
148.57 
111. 98 
87.39 
69.72 
56.41 
46.03 
37.70 
30.88 
25. 18 
16.20 
9.46 
4.21 


94.61 

101.25 

102.89 

101.60 

98.42 

93.96 

88.57 

82.53 

75.99 

69.08 

61.89 

46.93 

31.48 

15.79 


0.539 

0.696 

0.832 

0. 953 
1.061 

1.  161 
1.253 
1.339 
1.420 
1.496 
1.568 
1.702 
1.824 
1.94 


Relative 

LOSS  (%) 

3rd.  Moment 

4th  Moment 

35.95 

4.17 

30.09 

2.86 

25.84 

2.19 

22.61 

1.80 

20.  10 

1.55 

18.  11 

1. 39 

16.52 

1.28 

15.24 

1.22 

14.21 

1.  19 

13.  38 

1.20 

12.72 

1.23 

11.77 

1.43 

11.22 

1.93 

10.93 

3.45 
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Figure  4.1  Relative  Losses  for  the  Third 
and  Fourth  Moments 
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5.  CONCLUDING  REMARKS 

In  Section  2 we  developed  a model  for  the  operational  phase 
of  a software  system  which  incorporates  the  uncertainty  of  error 
removal  and  the  time  spent  in  correcting  errors. 

In  Section  3,  expressions  were  derived  for  the  distribution 
of  time  to  a specified  number  (ng)  of  errors  remaining  in  the  soft- 
ware system  starting  with  an  initial  number  of  errors  N , the 
state  occupancy  probabilities,  software  system  availability,  and 
the  number  of  errors  detected  and  corrected  by  time  t . 

An  approximation  using  Gamma  distribution  was  discussed  in 
Section  4 for  large-scale  software  systems. 
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APPEND IX  A 


The  following  lemma  which  is  known  as  Heaviside  Expansion 
Theorem  is  useful  in  our  analysis. 


Lemma  A. 1 For  any  integer  values  n^  , N a n^  amd  any  real  number 


-ci > 0 . i » nQ, nQ+ 1, . . . ,N 


N c . N 

n . .1-  •=  £ 


ci 


s + c . , " N< i,n~  S + c. 

i-nQ  l x“n0  0 1 


(A.  1) 


where 
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From  Lemma  A. 1 we  give  the  following  corollary  which  is  needed  for 
computational  purposes: 


Corollary  A. 2 Le t 

Hn  n (s)  “ K n (s)  nN  n (s) 
N i n ^ i n N * n | N # r*  ^ 


(A. 3) 


where 
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(A.  5) 


Then  the  inverse  of  Laplace-Stielt jes  (L-S)  transform  of  n n 
is  given  by 


(s  ) 
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